pi-hole and cloudflared(dns over https) with ipv6

docker-compose.yml

# Requirements
#1. Enable IPv6 for the docker daemon:
#$ cat /etc/docker/daemon.json
#{
#  "ipv6": true,
#  "fixed-cidr-v6": "2001:db8:1::/64"
#}
#2. reload docker :
#$ sudo systemctl reload docker
#3. start:
#$ docker-compose -f docker-compose.yml up -d

version: "2.1"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  cloudflared:
    container_name: cloudflared
    image: visibilityspots/cloudflared:arm
    restart: unless-stopped
    networks:
        pihole_net:
          ipv4_address: 10.0.0.2
          ipv6_address: 2001:3200:3200::20
    sysctls:
        - net.ipv6.conf.all.disable_ipv6=0  

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "81:80/tcp"
      - "443:443/tcp"
    environment:
      - TZ=Europe/Berlin
      - WEBPASSWORD=YOURPW
      - IPv6=true
      - ServerIP=192.168.178.22 #IPv4 address of docker host
      - ServerIPv6=2a02:908:3710:7ce0:5c5e:cdf1:d051:4026 #IPv6 address of docker host
      - DNS1='10.0.0.2#5054'
      - DNS2='2001:3200:3200::20#5054'
      - DNSMASQ_LISTENING=all
    networks:
        pihole_net:
          ipv4_address: 10.0.0.3
          ipv6_address: 2001:3200:3200::30
    # Volumes store your data between container upgrades
    volumes:
       - './etc-pihole/:/etc/pihole/'
       - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    dns:
      - 127.0.0.1
      - 8.8.8.8
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0  
    restart: unless-stopped

networks:
  pihole_net:
    driver: bridge
    enable_ipv6: true
    ipam:
      config:
        - subnet: 10.0.0.0/29
        - subnet: 2001:3200:3200::/64

Hello!

Thank you so much for this. I just installed docker and this is my first attempted deployment. I spent a few days figuring out enough to get IPv6 enabled in the docker daemon, and was getting nowhere with the compose file until I found your sample.

Where are you getting your value for "ServerIPv6"? I'm not certain I'm getting a static IP to my host from my router.
My router serves IPv6 addresses without a problem, but unlike with IPv4, I cannot explicitly tell it to give specific machines static addresses.
Running "ip addr show" has given me the same address on my eth0 interface after 3 runs (with a restart after each), but that could just mean the router has decided the lease on the IP hasn't expired yet. I'm particularly concerned as the entry includes the indicators "scope global dynamic noprefixroute." The "dynamic" suggests it might change.

I'm using it for now. Fingers crossed.

When I brought the container up, everything seems to have worked, at least as far as executing the up command. I haven't tested it yet.
Is there a way I can test if the IPv6 routing is working aside from pointing my router's DNS at the pi-hole?

(A note for Manjaro ARM users: There's a bug in the arm image's lightpd. It will fall into an infinite loop when you attempt to bring up the container unless you include "privileged: true" in the "pihole" service. I have mine directly under "image:")

I did notice under the "network" tab in the Pi-Hole web admin, it's only seeing the ipv4 localhost (127.0.0.1). There's three 172.x.x.x entries and a 10.0.0.1 entry that are listed as unable to connect.

The 10.0.0.1 entry includes an IPv6 address it lists as unable to connect to. None of these addresses are the ones I set in the docker-compose file. Maybe this has something to do with pi-hole only working on localhost?

One oddity: my docker network is named: "pi-hole_pihole_net" in the docker network list. The docker-compose.yml file is in a directory called "pi-hole." Is there some way I can fix this? It's not really a problem. It just looks kind of odd.

Thanks again!

Hi @johntdavis84,

thanks for your nice comment. I´m glad this compose file could help you.

Where are you getting your value for "ServerIPv6"? I'm not certain I'm getting a static IP to my host from my router.

My router is configured to give my raspberry pi a static ipv6 address. If you can not configure your router to give your device a static ip you could set the dhcp settings of your device to a static ip address. Here is a link for the raspberry pi: https://www.raspberrypi.org/forums/viewtopic.php?t=268617
Hope this helps.

Is there a way I can test if the IPv6 routing is working aside from pointing my router's DNS at the pi-hole?

You run the following command and check if you get an IPv6 Address for google.com:
nslookup google.com 2a02:908:3710:7ce0:5c5e:cdf1:d051:4026 (change the ip to your pi.hole´s host ip)

The 10.0.0.1 entry includes an IPv6 address it lists as unable to connect to. None of these addresses are the ones I set in the docker-compose file. Maybe this has something to do with pi-hole only working on localhost?

My entry lists as green:

The rest of the entries are nearly all IPv4. I can´t tell if these should have also an ipv6 address. :/

One oddity: my docker network is named: "pi-hole_pihole_net" in the docker network list. The docker-compose.yml file is in a directory called "pi-hole." Is there some way I can fix this? It's not really a problem. It just looks kind of odd.

This is the default naming convention of resources for docker-compose. It will always name the resources something like "foldername_resourcename". I don´t know if you can change this behavior. You might find something in the docker-compose docs.

Thanks again for this additional info. :)

Question: what's the best way to reset things if I need to further modify the docker-compose.yml file? Should I docker-compose down the container and completely start over, or is there a way to load in the new changes without destroying the container?

At this point I've done literally nothing except log into the admin console and stare at it a bit, so deleting the image is no big deal...

Where are you getting your value for "ServerIPv6"? I'm not certain I'm getting a static IP to my host from my router.

My router is configured to give my raspberry pi a static ipv6 address. If you can not configure your router to give your device a static ip you could set the dhcp settings of your device to a static ip address. Here is a link for the raspberry pi: https://www.raspberrypi.org/forums/viewtopic.php?t=268617
Hope this helps.

Awesome!

I will check this out. I'm glad this sounds like an easily solvable problem.
EDIT: The IPv6 address is definitely changing. It has changed since I checked it last night, without any reboot.

Is there a way I can test if the IPv6 routing is working aside from pointing my router's DNS at the pi-hole?

You run the following command and check if you get an IPv6 Address for google.com:
nslookup google.com 2a02:908:3710:7ce0:5c5e:cdf1:d051:4026 (change the ip to your pi.hole´s host ip)

I will try this and see what I get back. My computer has suddenly decided to melt, so I think a restart is in order...

The 10.0.0.1 entry includes an IPv6 address it lists as unable to connect to. None of these addresses are the ones I set in the docker-compose file. Maybe this has something to do with pi-hole only working on localhost?

My entry lists as green:

The rest of the entries are nearly all IPv4. I can´t tell if these should have also an ipv6 address. :/

Mine is ... definitely not. I'll make sure the IPv6 host address is right and try again.